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Introduction 

In [4], the authors give two public key encryptions based on third order linear 
sequences modulo n 2 , where n = pq is an RSA integer. In their scheme (3), there 
are two mistakes in the decryption procedure: 

(1) The owner of the private key does not know the value of m such that 
C\ = s m (a,b) and C2 = s_ m (a, b), and thus he/she can not compute 
L(d,C 2 ). 

(2) If s\(a, b) = 3 modulo n 2 , then L(a, b) is not invertible modulo n. It follows 
that the owner of the private key can not decrypt the cipher C = (Ci, C2) 
since he/she can not compute ■ 

In this short note, in order to decrypt the ciphertext C = (C\, C2), another map L 
similar to that given in [4] is constructed. More precisely, if L(a, b) is not invertible 
modulo 71, we describe a method how to choose (a, b) such that L(a, b) is invertible 
modulo n and how to compute L(C±, C2). 

1. Third order Linear sequences 

Let p be an odd prime integer, (a, 6) G Z 2 and s(a,b) be a the third linear 
order sequence defined by Sk+3(a,b) = ask+ 2 (a,b) — bsk+i(a,b) + Sk(a,b) ( (a, b) 
is called the generator of s(a, b) and k is the exponent). Let cti, ai and 013 be the 
complex roots of f(X). Then there exists (a\,ai, a 3 ) e Q 3 such that for every k G z, 
Sfc(a, b) — aiot'l + a 2 a2+ a 3 Q; 3- Note that the tuple {a\, a 2 , 03) depends on the choice 
of S2(a, b), So(a, b) and si(a, b). For (ai, 0,2, 03) G % 3 such that a\ = 02 = 03 = 1 [p] 
(modulo p), we have so(a,b) — 3, si(a,b) — a and s_i(a, 6) = 6 modulo p. 

In the following, we assume that a\ = 0,2 = 0,3 = 1 [p]. Denote Tr-/^ and Nk/q 

the trace and norm maps of -ftT. Then Sk(a,b) — T k /q((x\) [p] and for every i, 
N K /Q(cti) — {ai) p +p+1 — 1 [p]. Thus, p 2 +p + 1 is a period of s(a, b) modulo p. 

The following cryptographic applications of LFSR sequences are listed in [S] . 
We present them without proof. 

(1) For every k G /Z, let f k (X) = X 3 - s k (a, b)X 2 + s_ fe (a. b)X - 1 [p]. Then 
/ fe (X) = (X-aJ)(X-a|)(X-a|)[p]. 

(2) In particular, for every k and e, s e (sk{a,b), s-k(a,b)) = Sfe e (a, 6) [p]. 
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2. Clarification remarks considering [4 

In this section, in order to decrypt a cipher C = (61,62) as given in [4J Sec. 3 
and 4], let n = pq be an RSA, (a, b) G N 2 such that f(X) = X 3 - aX 2 + bX - 1 
is irreducible modulo p (resp. modulo q). Let Sfc(a, b) be the third order linear 
sequence modulo n 2 generated by (a, b) such that So(a, b) = 3, s%(a, b) = a and 
s_i(a, b) = b modulo n. 

In order to have Sx ( a ^~ 3 [ n ] invertible, if s\(a, b) ^ 3 [n 2 ], then we will keep 
so(a, b) = 3, si(a,b) = a and s_i(a, 6) = 6 modulo n 2 . If sa(ci, 6) = 3[n 2 ], 
then let A = a + n, (3 1} f3 2 and /3 3 the roots of = X 3 - AX 2 + bX - 1. 

Let s(A, b) be the characteristic sequence generated by A and 6 modulo n 2 : 
s fc+ 3 (A, b) As k+2 (A,b)- bs k+1 (A,b) + s k (A, b) [n 2 ] 

s {A,b) = 3, Sl {A,b)=A, s^(A,b)=b[n 2 ] 
Since f(X) = g{X) [n], then up to a permutation for every 1 < i < 3, there exists 
ti G C such that ft = a, + nti. Thus, for every integer k, s k (A, b) = Ei=i Pi = 
J2t=i( a i + rrf fc = J2i=i( a i + = s fc(a, &) + nft(ti + h + h) modulo [n 2 ]. For 

k = 1, we have ii + £2 + ^3 = 1 [n]- Thus, s\(A, b) = s\(a, b) + nX [n 2 ], and then 
S> -( A ^~ 3 — \ [jj] i s invertible. Finally, without loss of generality, up to replace a 
by a + n, we can assume that s *( a M~ 3 j s invertible modulo n, where A is the least 
common multiple of (p 2 + p+ l,q 2 + q+l). 

Proposition 1. (1) For every k G Z, let f k (X) = X 3 -s fe (a, 6)X 2 +s_ fc (a, b)X- 
1 [n 2 ]. T/ien = (X - a\)(X ~ a k 2 )(X - a§) [n 2 ]. 

(2) 7n particular, for every k and e, s e (s k (a, 6), s_fe(a, 6)) = s ke (a, b) [n 2 ]. 

Proof. Since s k (a,b) = J2i=i a i ct\a\a\ = 1 [n 2 ] and a^ai; + o^ag + 
a|a| = af* + + a 3 & M- ■ 

Let T = {(x,y) G ^ 2 , s\(x,y) — 3 [n]} and L : T — ► be the map defined 
by L(x,y) — Sx ( x ^~ 3 [77,]. Since s\(x,y) = 3 [n], then L is well defined. 

Proposition 2. For every integer k, L (M n ^)^-fc(a,i>)) = 

Proof. First, L(a,b) — s *( a ^~ 3 is invertible modulo n. Let = {a: G 
n^g^t] . x = l[n]} and L l : rj — > be the map defined by L l (x) = z=± [n]. 

Then for every (x, y) G (ri) 2 , U{xy) = ^= x -^±^ = x (y_±l + (£_ii = 
xlS(y) + L'(x) [n]. Since x = l[n], L l {xy) = L l {x) + D{y) [n]. 
Let A = k p (p 2 + p + 1) and 1 < i < 3. Since N K/Q (ai) = af +p+1 [p], a, A = 
(N K /Q{ai)) kp = l[p] (resp. modulo g). It follows that a A = l[n], a A G r l x and 
L l (a kx ) = kU{a x ) [n]. Therefore, s k \(a,b) - 3 = (af A - 1) + (a^ A - 1) + (af A - 
l)[n], L(« fc (o,6),«_ fc (o,6)) = SfcA(a n b) ~ 3 = ELi^(«? A ) = *E^i^(«?)W ^d 
L(a, 6) = SA(a n fc) ~ 3 = Ei=i L4 ( aA ) N- A s £(a, 6) is invertible modulo n, = 
k[n]. M 

2.1. The deterministic version. Algorithm of encryption and decryption 
in Scheme 3 of [4] 

(1) Public parameters: (n,a,b) 



NOTES ON TWO METHODS FOR DIRECT CONSTRUCTION OF PROBABILISTIC LFSR SEQUENCES OF THIRD ORDER 



(2) Private parameters: (p, q) 

(3) Encryption: For a message < m < n, Bob calculates the ciphertext block 
C = (ci, C2) such that c\ — s m (a 1 b),C2 = s_ m (a, b) [n 2 ]. 

(4) Decryption: For a given ciphertext block c, Alice can decrypt it by calcu- 
lating^M. 

Indeed, since c = (ci, C2) is a ciphertext, let < m < n such that c\ = s m (a, b) 
and c 2 = s_ m (a, b). Then s\(ci,c 2 ) = s\(s m (a,b),S- m (a,b)) = s m \(a,b) = 3 
modulo n. Thus, L(c±, C2) is well defined and L j^ c b ^ — L ^L™a't>)^ — m [ n ]- ■ 

2.2. The probabilistic version. Algorithm of encryption and decryption 
in Scheme 3 of [4] 

(1) Public parameters: (n, a, b) 

(2) Private parameters: (p, q) 

(3) Encryption: For a message < m < n, Bob selects a random integer r and 
calculates the ciphertext block C = (ci, C2) such that Ci = s rjl+TO (a, 6), c 2 = 

S-(rn+m)(a,b) [ll 2 ]. 

(4) Decryption: For a given ciphertext block c, Alice can decrypt it by calcu- 
lating^W. 
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